In the field of computing systems, it is known to provide various mechanisms for suppressing execution of program files, scripts and the like. For example, it is known to provide anti-virus software that is configured to scan a program file, script or the like for the presence of a computer virus, and, if present, to (i) attempt cleansing of the file, and if successful permit execution of the file; (ii) quarantine the infected file until the user decides what course of action to take; or (iii) deletion of the file. However, in every instance, the foregoing actions depend on the anti-virus software recognizing the file as being infected by a computer virus. Accordingly, anti-virus software is limited in its usefulness in blocking execution of programs that may not be infected, but for which there is a desire to block execution nonetheless (e.g., an employer may wish to prevent users from running a web browser). Additionally, such anti-virus programs depend on having up-to-date definitions of virus signatures, and may be ineffective at blocking newly released viruses.
Another attempt in the art to suppress execution of program files involves license metering programs. These programs typically operate by replacing the metered executable with a stub configured to consult a server to determine the number of running copies. Such metering programs then suppress (i.e., prevent) execution when the number of licensed copies is reached. The use of stubs, however, has limited utility for certain types of executable files, for example, e-mail attachments, executable program files on network-attached storage or servers and the like. That is, the use of the stub does not work on all executable files irrespective of the mechanism through which they are executed. This approach has the further downside of requiring disruptive changes to the applications involved.
Yet another attempt in the art to restrict program execution involves Microsoft Windows Domain Policy rules. These rules allow a user to specify which program files to block, but requires that the names of such program files be known in advance. This approach is tedious. Additionally, Domain Policy rules do not provide a way to build a permitted application list, so it is difficult for the user to specify which programs should be allowed to execute on a “locked” system.
Still yet another approach taken in the art for blocking execution of applications involves the use of file-level permissions. File permissions can be manipulated to alter its system security attributes of the executable file. However, as with the Domain Policy rules, this approach requires a priori knowledge of the both the files and the installation locations and hence has the same limitations. Moreover, such an approach is of limited or no value for executables on a network or file server storage, as well as e-mail attachments (i.e., because one cannot set the file attributes in advance for files becoming available through those channels). Finally, this approach is ineffective at blocking applications from being used by users that have a high level of permission on the system.
There is therefore a need for an improved system and method for selectively blocking execution of program files on a computer system that minimizes or eliminates one or more of the shortcomings as set forth above.